A friend of mine — a software engineer with 15 years of experience — nearly wired £4,000 to a scammer last year. The email said his company's cloud hosting was about to be suspended for non-payment, with data deletion in 12 hours. He was halfway through the bank transfer when his co-founder asked why he looked so panicked.
He's not stupid. He's not careless. He's human. And that's exactly what scammers count on.
Your brain has two speeds (and scammers know which one to target)
Psychologist Daniel Kahneman described two systems of thinking: System 1 (fast, automatic, emotional) and System 2 (slow, deliberate, logical). Most of the time, we think we're operating in System 2. We're not. The vast majority of our daily decisions run on System 1.
When a scam email triggers fear or urgency, it activates your amygdala — the part of your brain responsible for threat detection. This is sometimes called an "amygdala hijack." Your brain shifts into fight-or-flight mode. Blood literally flows away from your prefrontal cortex (where critical thinking happens) and toward the systems that handle immediate threats.
This is a survival mechanism. If a tiger is charging at you, you don't want to carefully evaluate your options. You want to run. Now.
Scammers have figured out how to make your brain think there's a tiger — using nothing but text on a screen.
The five triggers scammers exploit
1. Time pressure "Your account will be closed in 24 hours." "Respond within 2 hours to avoid penalty." "Immediate action required."
Deadlines compress your decision-making window. Research from the University of Minnesota found that time pressure significantly reduces people's ability to detect deception. When you feel rushed, you skip the verification steps you'd normally take.
2. Authority "This is from the IT department." "HMRC has identified a discrepancy." "Your CEO has authorised this payment."
We're wired to defer to authority — psychologist Stanley Milgram's famous experiments showed people would administer what they believed were dangerous electric shocks when instructed by someone in a lab coat. Scammers impersonate bosses, government agencies, banks, and tech companies because authority suppresses questioning.
3. Fear of loss "Your account has been compromised." "Suspicious activity detected." "Your files will be permanently deleted."
Loss aversion is one of the strongest cognitive biases humans have. Kahneman and Tversky's prospect theory showed that the pain of losing something is roughly twice as powerful as the pleasure of gaining it. Scammers don't offer you something — they threaten to take something away.
4. Social proof and isolation "We've already contacted your colleagues about this." "This has been verified by our compliance team." Or conversely: "Do not discuss this with anyone due to the ongoing investigation."
Some scams create fake consensus. Others deliberately isolate you — particularly in CEO fraud, where the "boss" tells you to keep the urgent wire transfer confidential. Isolation prevents you from doing the one thing that would break the spell: asking someone else.
5. Helpfulness and reciprocity "We've already prevented a fraudulent charge on your account — we just need you to verify your identity." "Your package is waiting — just confirm your delivery address."
These are subtler. The scammer frames the interaction as them helping you, which triggers reciprocity bias. You feel obligated to cooperate because they've apparently done something for you.
Intelligence doesn't protect you
This is the uncomfortable part. Multiple studies have found that higher education and intelligence provide little protection against sophisticated scams.
A 2019 study published in the British Journal of Psychology by Stephen Lea and colleagues found that vulnerability to scams was more closely associated with psychological traits (like consistency motivation — the desire to follow through on commitments) than with intelligence or education level.
The UK's Financial Conduct Authority found in 2022 that victims of authorised push payment fraud came from all demographics, with a significant proportion being well-educated professionals. The FCA specifically noted that anyone who believes they're "too smart to be scammed" is arguably more vulnerable, because they're less likely to double-check.
AARP's 2023 fraud survey in the US found similar patterns: adults aged 30-49 with higher incomes reported more fraud losses than other demographic groups. Not because they're less intelligent — because they're more likely to have accounts worth targeting, and more likely to engage confidently with what looks like a legitimate communication.
Real examples that catch real people
Here are some of the most effective urgency scam emails circulating:
The HMRC/IRS tax scam "You have an outstanding tax liability of £3,847.20. Failure to pay within 72 hours will result in enforcement action, which may include seizure of assets or court proceedings."
This works because most people have a vague anxiety about their taxes being wrong, and the specificity of the amount (not a round number) makes it feel real.
The Microsoft 365 admin alert "Your organisation's Microsoft 365 subscription payment has failed. Services will be suspended in 24 hours. Update payment method immediately."
If you're an admin who actually manages M365, your heart rate just went up reading that. That's the point.
The "security team" account compromise "We've detected a sign-in to your account from Lagos, Nigeria at 3:47 AM. If this wasn't you, secure your account immediately."
This one is clever because the correct thing to do when your account is compromised is to act quickly. The scam mimics legitimate security advice.
The boss wire transfer (BEC) "I need you to process an urgent payment to a new vendor. I'm in meetings all day so can't call — please handle this by 4pm. Will explain later."
Business Email Compromise cost organisations $2.9 billion in reported losses in 2023 according to the FBI's IC3 report. It works because employees don't want to question their boss, especially when the boss seems busy and stressed.
The Pause Protocol: what to do when an email makes your heart race
Here's the single most effective anti-scam technique I know. I call it the Pause Protocol, and it has exactly one step:
If an email makes you feel urgent, that's your signal to slow down.
That emotional spike — the anxiety, the "I need to deal with this RIGHT NOW" feeling — is not a sign that you should act fast. It's a sign that you should do the opposite. Legitimate organisations do not create situations where you must act in minutes or lose everything.
The full protocol:
Notice the feeling. Heart racing? Stomach tight? That's your amygdala firing. Acknowledge it
Do not click anything. Not the link, not the attachment, not the button. Close the email
Verify independently. If it claims to be from your bank, open a new browser tab and go to your bank's website directly. If it's from your boss, walk over to their desk or call them. If it's from HMRC, call the number on the official HMRC website — not the number in the email
Wait 10 minutes. Almost no legitimate situation requires you to act within minutes. A 10-minute pause lets your prefrontal cortex catch up with your amygdala
Ask someone. "Hey, does this look legitimate to you?" is the single most underused security tool in existence
The scam works because it hijacks the gap between your emotional response and your rational response. The Pause Protocol closes that gap.
Why this keeps working (and will keep working)
Scam techniques evolve, but the psychology they exploit doesn't. We're running 200,000-year-old threat-response hardware in a world of sophisticated digital deception. That mismatch isn't going away.
AI is making this worse. Generative AI tools can now produce grammatically perfect, contextually appropriate phishing emails in seconds. The old advice to "look for spelling mistakes" is increasingly useless. Modern scam emails are well-written, well-formatted, and highly targeted.
The defence isn't technical literacy — it's emotional literacy. Recognising your own psychological responses and knowing when to distrust them is the most important security skill you can develop.
